To say that this has been an interesting week would be a severe understatement. It has been an absolutely terrible week for privacy.

The week started with the announcement about Heartbleed, which refers to a flaw in OpenSSL, the encryption technology most websites use to provide users with a secure method of entering password credentials. The flaw allows hackers to collect users' passwords. With stolen passwords, thieves can steal users' credit cards and other payment information.

"Heartbleed is a catastrophic bug... an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable."

"The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability. On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the "Heartbleed Bug" and urged users to change not just the password for its site but for all others as well."

Next, some security experts advised consumers to update all of their passwords, and avoid online banking until fixes were implemented. Then, experts advised consumers not to update all of their passwords. The revised advice was based upon the nature of the security flaw, and upon the fact that some websites hadn't yet fixed their security flaws.

Note the "two-year old security hole" statement. It makes one wonder why the intelligence community, created to protect citizens, didn't warn somebody. I guess that when you are focused upon offensive cyber weapons, a warning is a bridge too far.

The cynic in me concluded that if the intelligence community knew about Heartbleed years ago, they probably used it and/or their contractors. Why? "The Secret War" report by Wired in June 2013 provides some context:

"Defense contractors have been eager to prove that they understand Alexander’s worldview. “Our Raytheon cyberwarriors play offense and defense,” says one help-wanted site. Consulting and engineering firms such as Invertix and Parsons are among dozens posting online want ads for “computer network exploitation specialists.” And many other companies, some unidentified, are seeking computer and network attackers... One of the most secretive of these contractors is Endgame Systems, a startup backed by VCs including Kleiner Perkins Caufield & Byers, Bessemer Venture Partners, and Paladin Capital Group. Established in Atlanta in 2008... According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them."

OpenSSL seems to me to be a commonly used program. There are several takeaways from this Wired report. One is that the finding and using of vulnerabilities in Internet-connected computers is a big, profitable business. Remember, privately-held (and secretive) corporations are beholden only to their investors. Another takeaway: corporations involved in cyberwarfare are free to sell the vulnerabilities they have found to anyone (links added):

"According to Defense News’ C4ISR Journal and Bloomberg Businessweek, Endgame also offers its intelligence clients—agencies like Cyber Command, the NSA, the CIA, and British intelligence—a unique map showing them exactly where their targets are located. Dubbed Bonesaw, the map displays the geolocation and digital address of basically every device connected to the Internet around the world, providing what’s called network situational awareness... It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits... The question is, who else is on the secretive company’s client list? Because there is as of yet no oversight or regulation of the cyberweapons trade, companies in the cyber-industrial complex are free to sell to whomever they wish... The companies trading in this arena can sell their wares to the highest bidder—be they frontmen for criminal hacking groups or terrorist organizations or countries that bankroll terrorists..."

Remember, there have been several instances (e.g., Lexis-Nexis, Experian, ChoicePoint, Lexis-Nexis again) where credit reporting agencies and data brokers have sold consumers' sensitive personal information to criminals and other bad guys. So, it is a real risk for cyberwarfare vendors to sell vulnerabilities to bad guys, as the report rightly mentioned.

What are your opinions of the Heartbleed security flaw? Of websites' responses and notifications? Of the role of the intelligence community?

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Dear Mr. Jenkins: Once again you provide us with important information about threats to our privacy and security. And you provide useful information about what we can do to mitigate this particular threat, at least going forward. That is, we can insist that the websites, which we use, patch their vulnerability, if any, to Heartbleed, and then change our passwords.

But the larger problem is something that no one wants to admits, because of the vast sums of profit and vast sectors of our economy and other economies, which are at stake: The Internet isn't secure; financial transactions on the Internet are not secure; though we have a reasonable expectation of privacy on at least certain of our Internet communications and transactions, none of those communications and transactions are secure; and so we don't have any privacy and/or security on the Internet.

I now have to change some passwords, but I have no beliefs that those changed passwords will make my communications and transaction on the Internet private or secure, even though my confidential communications and transactions should be both private and secure and even though I have a right and reasonable expectation that they will be private and secure.

So the secret is out: The Internet isn't private; it is not secure, and not only are ordinary people powerless to do anything about it; large firm, such as banks, brokerages, retailers, law firms, news organizations etc., are also powerless to do anything about it.

And why don't we have privacy and security? Well, aside from the technical flaws that arise in any computer system, another more powerful and the essential cause of the failure of privacy and security on the Internet is a witches' brew of: the prerogatives and security needs of empire; the profitability of dishonoring our privacy so that firms can exploit our personal information, and the willingness of government, which is supposed to be our government, in all of its branches to protect the protect and abet the imperial state's security needs and the profitability of firms who exploit our privacy.

That witches brew may well lead to governments and firms at least exploiting, if not creating, security flaws for their own purposes and profit, but the greater dangers are the immoral and harmful acts, which the state, the United States, has legalized. We, for example, have no property rights in our personal information; private firms, for the sake of their profits, set what can only be described as legalized malware on our computing devices; governments conduct massive surveillance with no other justification than that they can and that its good to know what everyone is thinking and doing, which, in the case of the U.S. government, is a violation of the U.S. Const.; people are presented with and coerced into contracts, which they can’t understand and/or which they aren’t given time and resources to review and understand, on pain of being denied needed goods and/or services, and the courts, both state and federal, have stood mute and permitted these violation of peoples rights.